Re: 3850 FUJI 16.9 code TACACS+ configuration - Page 2

rb300 · ‎04-03-2019

Does anyone have any advice of the "correct" configuration of TACACS+ on the 3850 series.

I have recently upgraded a switch to 16.9.3 (FUJI) code.

On older switches I would use the following sample to configure TACACS+

aaa new-model

tacacs server ServerA
address ipv4 10.10.10.10
key abcd1234

I am now presented with (after the last command "key abcd1234")

WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type

I have been searching for a "new" syntax for hte command but have been unseccesful.

Cisco documentation from the "Security Configuration Guide, Cisco IOS XE Fuji 16.9.x"

Chapter: Configuring TACACS+
How to Configure Switch Access with TACACS+"
Identifying the TACACS+ Server Host and Setting the Authentication Key

This sounded exactly what I was looking for. But the summary and detailed steps do not include anything for setting the Authentication Key

"SUMMARY STEPS"
1. enable
2. configure terminal
3. tacacs server server-name
4. address {ipv4 | ipv6 } ip address
5. exit
6. aaa new-model
7. aaa group server tacacs+ group-name
8. server ip-address
9. end
10. show running-config
11. copy running-config startup-config

I appreciate that the old syntac is still accepted, but would like to get the new syntax if possible.

Thanks

Peter Paluch · ‎03-10-2020

Hello @hemmerling,

I sincerely suspect that if the key config-key password-encrypt works only when entered by hand, and not from script, then there are very likely some extra characters coming in from the script that become a part of the master key. It may be a whitespace, or it may be different newline characters from what is expected and sufficient for IOS CLI (such as CRLF instead of just CR).

Can you double-check the script and play a little with the newline setting? There is a difference between \r (CR), \f (LF), and \n (which may translate to CRLF, CR, LF or something even more different depending on the default OS type where you run the script). Cisco IOS CLI should be fine with CR but please try out different options. Also, make sure that you do not pass any whitespace right after the password to the command.

I'd love to hear back from you.

Best regards,
Peter

hemmerling · ‎03-10-2020

I checked it again, confirmed that the script was using Unix style EOL (LF) and I can confirm, that under 16.x.x on a 3650 or a 3850 or even a 4300 router that you can not set the "key config-key password-encrypt MYPASSWORDHERE" via script and it only works from the CLI.

If you run the "key config-key password-encrypt MYPASSWORDHERE" command first in a script and then turn on "password encryption aes" and then set up keys later on down in the script, that it will not create type 6 keys only type 7. Only after you type "key config-key password-encrypt MYPASSWORDHERE" in a CLI first will the script be able to set type 6 keys.

Peter Paluch · ‎03-11-2020

Hello,

Hmmm... Would it be possible for you in fact to share the script you're using? When I get a few minutes spare time, I can try testing it and seeing what's going on.

Many thanks!

Best regards,
Peter

hemmerling · ‎03-11-2020

Sadly no, at least not the whole thing (it's 980 lines long anyway), but here is the passwords, DOT1X, line and TACACS portion (with real passwords, non-relevant commands and IPs sanitized obviously).

Here is enough to show that with a blank switch (as in erase startup, blank) that you cannot set "key config-key password-encrypt PASSWORD" with a script. (you can tell it didn't work because it doesn't create type 6 passwords only type 7).

So run the script, then look up the password types, then run it again if you want, it will never work to create type 6 types (even though the "password aes" command will show up int the running config).

However, type "key config-key password-encrypt PASSWORD" manually into the CLI and run the script again, you'll see that all the type 7s are now type 6.

!
! ---- PASSWORDS ----
!
service password-encryption
key config-key password-encrypt MYCOREPASSWORD
password encryption aes
enable algorithm-type sha256 secret MYENABLEPASSWORD
username LOCALUSER privilege 15 algorithm-type sha256 secret 
ip domain name MYDOMAIN
crypto key generate rsa general modulus 2048
!
! ---- GLOBAL DOT1X WIRED ----
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius 
authentication mac-move permit
dot1x system-auth-control
radius-server dead-criteria time 30 tries 14
radius-server retry method reorder
ip radius source-interface loop 0
!
no radius server MYRADIUSSERVER1
radius server MYRADIUSSERVER1
 address ipv4 192.168.0.11 auth-port 1812 acct-port 1813
 key 0 MYRADIUSPASSWORD
!
no radius server MYRADIUSSERVER2
radius server MYRADIUSSERVER2
 address ipv4 192.168.1.11 auth-port 1812 acct-port 1813
 key 0 MYRADIUSPASSWORD
!
! ---- TACACS SETUP ----
!
aaa group server tacacs+ MYTACACSGROUP
 no server name MYTACACSSERVER1
 server name MYTACACSSERVER1
 server-private 192.168.0.12 key 0 MYTACACSPASSWORD
!
 no server name MYTACACSSERVER2
 server name MYTACACSSERVER2
 server-private 192.168.1.12 key 0 MYTACACSPASSWORD
!
aaa authentication login VTYMETHOD group MYTACACSGROUP local enable
aaa authentication login CONMETHOD group MYTACACSGROUP local enable
aaa authentication enable default enable none
aaa authentication username-prompt Username:
aaa authentication password-prompt Password:
aaa authorization console
aaa authorization config-commands
aaa authorization exec CONMETHOD group MYTACACSGROUP local if-authenticated 
aaa authorization exec VTYMETHOD group MYTACACSGROUP local 
aaa accounting exec default start-stop group MYTACACSGROUP
aaa accounting network default start-stop group MYTACACSGROUP
aaa accounting connection default start-stop group MYTACACSGROUP
aaa accounting system default start-stop group MYTACACSGROUP
tacacs-server timeout 5
ip tacacs source-interface loop 0
!
no tacacs server MYTACACSSERVER1
tacacs server MYTACACSSERVER1
address ipv4 192.168.0.12
key 0 MYTACACSPASSWORD
port 49
!
no tacacs server MYTACACSSERVER2
tacacs server MYTACACSSERVER2
address ipv4 192.168.1.12
key 0 MYTACACSPASSWORD
port 49
!
! ----LINE IN SETTINGS ----
!
line vty 0 4
 authorization exec VTYMETHOD
 login authentication VTYMETHOD
!
line con 0
 authorization exec CONMETHOD
 login authentication CONMETHOD
end

Here is the relevant portion of the end user interface configuration (the part that pertains to DOT1X).

!
! ---- LOCAL INTERFACES ----
!
int ran gi 1/0/1 - 48
 switchport access vlan 123
 switchport mode access
 switchport voice vlan 456
 authentication event fail action next-method
 authentication event server dead action authorize
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 dot1x pae authenticator
!
end

Remember for anyone trying to use type 6 RADIUS passwords on 16.9.5 with FIPS enabled (as of March 11,2020), that those don't seem to work at all.

Cristian Matei · ‎03-10-2020

Hi,

Funny question:

"

Who writes these error messages? Setting the password encryption to AES calls a Master Key Change Notification ?

There is no way to set the Master Key in the password encryption statement. "

Simple answer: humans, but this is what i call "Beer programming" . In the old days you would expect an error/warning/informational message to give you some hints/guidance. Nowadays it gives you just headaches.

Regards,

Cristian Matei.